Changing Ports & Remote Users for Security Reasons

Hi Everyone!

I have a question and need some guidance on how to go about handling remote users as well as changing ports of SSH and VoIP.

On one of our servers, we have about 100 extensions (all remote) and I want to be able to change the default ports for everything, while I learn about firewalls, port forwarding and security in general. Is this a good idea?

My second question is how does one do this without causing havoc for all these clients? They are spread out amoung provinces and it is really not possible to travel to each client and re-program their phone.

What is the best way to handle this? The reason we’re going this route is because I am tired of receiving a string of emails from Fail2Ban telling me that IP addresses are getting banned every day. It’s good that its working, however, I just want to be extra sure. Also, we’ve had some clients complain about getting phantom calls which is also no bueno.

Any and all help would be appreciated!

Thank you!

Hi Krystyna,
I just did something similar for a client with several remote offices. I changed the SIP Port for security reasons so that it is not the default of 5060.

The post below should be of use to you.

What phone models does your company use?

Keep in mind that this is a very disruptive change of settings, it will need to be done after hours because it will disrupt service for all users until all configurations are done and heres what it will involve:

  • Changing the configuration of every single phone, manually (hopefully you can do this remotely, i was able to because our Cisco phones download their XML config files from the HQ TFTP server. I updated all files, then the phones downloaded them at their next scheduled resync time) It looks like this will be your biggest obstacle, updating every phone config file. Everything else is fairly straight forward
  • If you have SIP trunks, you will need to call your provider and let them know to send SIP requests to the new port
  • Port forwarding from Router to FreePBX (this is detailed in the post below)
  • Changing FreePBX SIP settings (GUI only)

Another thing to keep in mind is that ANYTHING that connects to your pbx using SIP needs to be reconfigured with new port. The first thing you think of is your phones and your SIP trunks, but do you have other SIP devices like a VoiceGateway/ATA device with Fxs or fxo ports? Its config will need to be updated as well to connect to the freepbx on the new port

     Spida,

Thanks for the reply, that looks pretty solid. What is working for me right now is

Changed the SIP BindPort to a random port for example 40500Changed the SIP BindAddress to my local FreePBX server address, 10.1.1.5Updated all phone configs to register with proxy like so, 10.1.1.5:40500Port Forwarded 40500, TCP and UDP, to 10.1.1.5

I also set up SIP TCP on the port to save battery on remote softphone cellphone clients

Added tcpenable=yes to Asterisk SIP settingsAdded tcpbindaddress=10.1.1.5:40500amportal restartUpdated the remote extension settings in FreePBX to accept TCP only, and qualify:noUpdated softphone clients to register to for example sip.myHQpbx.com:40500 TCP

To make things a little more interesting, I also have a remote office
setup with another FreePBX server and its own SIP ITSP, lets call it
RemoteOffice1 and HQ.

RemoteOffice1 has a phone that registers line 1 to its own FreePBX, but then also registers line 2 to HQ’s FreePBX
(proxy: sip.myHQpbx.com:40500 UDP)

Then HQ phone has line 1 registered to its own pbx, and line 2 registered to sip.myRemoteOffice1pbx.com:40600

To make this work, I had to port forward RTP and SIP on both routers suchas

HQ Router forwards:
40500 TCP/UDP -> 10.1.1.5
10000 - 20000 UDP -> 10.1.1.5

RemoteOffice1 forwards
40600 TCP/UDP -> 192.168.5.5
10000 - 20000 UDP -> 192.168.5.5

Without the RTP forwards at both routers, I would get no way audio
when calling from one office that is registered to the other office.

I am happy with the security of this configuration so far, it was a
pain to figure out some of it, but everything is working great now.

I also should mention that I received a TON of support from other forum members, especially @dicko,
everyone here is super helpful and responsive. To make up for all the
time I drain from other members with my questions, I try to give back by
replying to posts that I can help others with.

Hi!

Thank you for the super detailed post! I’ll look into this immediately! The hardest thing as you mentioned will be to update the ports on each client’s phone :blush: There is a mixture of phones and ATA’s invovled with varying brands but majority are Grandstream devices with a couple of Aastra here and there and a lone Chinese brand of ATA…

This is a lot bigger than I had thought to be honest! However, it does seem like a quick and dirty solution to something else that should be done.

I see how this may be a very difficult task to reprogram all the remote devices at remote locations, in which case you may have to just stick with relying on Fail2Ban

However, using a non standard SIP port is the best form of remote SIP security in my opinion.

Think if you are the hacker, you scan a public IP and see 5060 open. You then know you can begin trying to brute force extension passwords or attack other SIP vulnerabilities. So you try that, but you get IP banned by Fail2Ban so you move on to an easier target. The next hacker comes along and does the same thing, and this happens over and over. No one ever breaks in (hopefully!) but bandwidth and server processor time is wasted for the FreePBX server’s owner, and maybe sometimes an attack is so strong that it creates a denial of service for legitimate users trying to connect.

Scenario number 2: Hacker scans your public IP. He finds that port 45600 is open. He looks up what services run on 45600 by default to see if there are any vulnerabilities to be exploited. He finds nothing and moves on, never knowing that the port is being used for SIP.

Hi Again Reily!!

Yes, I thought it would be the best solution but at this point and time not quite feasible :blush: Is there anything further that I can do with Fail2Ban that will save my email inbox from being filled with all these emails lol? Currently I’m using the default FreePBX distro settings, with additions on bantime and limiting the number of times an IP is banned.

Thank you so much for your quick responses and assistance!!

Turn off email alerts? :wink:

Unfortunately, as long as 5060 is open, you will be attacked. Fail2Ban will hopefully always protect you, but its a cat and mouse game of IP banning.

There really only two good solutions to stop being attacked and neither are is easy fix:

  • Change the bindport as we discussed above

  • Setup OpenVPN or other VPN at all remote offices that will connect them back to the LAN of HQ. Then 5060 can be CLOSED to the internet (everything goes over the VPN and its like its on the same LAN) and no more attacks! Even very cheap ($30) consumer routers can be flashed with DDWRT firmware and then can be used as OpenVPN clients. However, I’m sure this is of no use to you because it would probably be even more work than the bindport.

One more thing about the VPN solution though, it may be a more viable option for your particular situation because:

The bindport solution is basically impossible because of the downtime required. EVERYONE will be down until every single phone has been reconfigured.

Setting up a VPN solution for every remote office to connect back to the HQ LAN however can be integrated gradually, one site at a time, on your own schedule. Then, once all sites have been converted to VPN, 5060 can be closed at HQ

The funny thing is it’s not my SIP or Asterisk port that is getting hammered, it’s the SSH… which I find to be even more annoying as I have SSH keys and have completely disabled password based authentication via SSH to my server. Currently have 128 IP addresses blocked and counting probably… Would there be any harm in changing the SSH port? Mind you, my servers are currently sitting in a datacenter and I really don’t want to leave the house right now lol :slight_smile: What are the chances of my getting locked out should I change the SSH port with SSH keys? I think it would be done, but these things sometimes have a way of bitting you in the rear!

Port 22 will always be hammered it is just how it is, to ameliorate:-

I should note that your current ssh connection on 22 will not go down when you restart the sshd service, so you can check with another session that it still works on the “new port”, if you have set your firewall up properly it will still work .

(I would have to say though , that if you had set your firewall up securely in the first place, you wouldn’t have all those connections attempts in the first place :wink: )

To make sure I don’t get locked out, I would setup PPTP VPN on the freepbx (command line installation but not that difficult). Its alot easier to get up and running than OpenVPN, its less secure, but its temporary.

  • Setup PPTP server

  • Connect to PPTP server

  • SSH to local IP of FreePBX

  • Change the SSH Port configuration

  • Remove PPTP server

  • SSH to new port

  • Never worry about people attacking SSH again

Then you won’t get locked out mid configuration

It is really rather easily feasible, before you make the “changes” you open “pinholes” on your firewall (or iptables) from all your current SIP client networks from 5060 to your “new port”, then they will work on 5060 OR the “new port”, BUT, “NO MORE BAD GUYS” !!, do the same for any other ports you have open . . .

(rasterisk -x ‘sip show peers’ and look at the IP’s currently being registered from, if they are using DHCP service from THEIR ISP , then choose the smallest network that "whois (ip address) " returns)

In Fail2Ban (Intrusion detection) settings in System Admin, Whitelist the IP addresses and they will not be banned any more. I did this after locking my own PC out of the web interface after getting my UCP password wrong a few times …

Hi Dicko!

This is what I suspect… but I’m using the default detection/IPTables/Fail2Ban settings that came with the distro because when I asked in previous posts if I could make changes to the Fail2Ban settings directly, forum members were saying that it had a negative effect on the sysadmin module or something like that and that basically if I did so I was “on my own”, so I’m trying to find a way to secure my system without tampering too much with the “default” and “Standard” settings of the distro so much so that I can no longer receive support from FreePBX.

Would you be able to provide some guidance as as to how to do this?

Thank you in advance, it’s really appreciated!!

@dicko @pezzz @rchase I’ve been doing some Googling and have come across APF and BFD (I’ve also seen it being talked about on the forum). I’ve found this particular tutorial here (http://voiplet.com/tutorials/securing-asterisk-freepbx-voip-server-with-apf-bfd.php) which I believe is quiet in-depth HOWEVER, it states that Fail2Ban should be UNINSTALLED before installing APF and BFD?! Is this correct? Should I do this, especially since I’m guessing it will greatly affect the upgrade/update process of the FreePBX distro in the future. What are your thoughts on this please? Also, is there an up to date tutorial on using GeoIP with APT and BFD? I’ve found some but they were written in 2009 and beyond and some of the links are either broken or that databases are non-existant. Any advice would be a blessing!!

My personal choice is CSF/LFD it has scripts to elegantly start (and stop) fail2ban after you have the firewall in place and IMHO does a lot more than it’s competitors.

Fail2ban properly set up does a lot more than watch asterisk/voip servers there are jails for many more services in the distro, the current version however will not easily run on your distribution.

GeoIP is probably a waste of time, a current valid database is quite expensive and the Chinese and Palestinians have for the most part moved to cloud servers in France and America. (they are not stupid :wink: )

As to Sysadmin and Schmooze support, I can’t answer as I don’t use either.